2018-10-31 Nanocore Malspam

While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the malware on my VM. After doing some research it looks as if this malware is related to the Nanocore RAT. For more information about what this RAT is, please see the following link:

Based on the output from rtfobj, we can see that this is leveraging the Microsoft Equation editor buffer overflow exploit (CVE-2017-11882). For more information about how this works, please see Palo Alto’s Unit 42 write up here: https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/. You can also see this operation via the Process Tree from Process Monitor as seen below.

Once the exploit has taken hold, the Equation Editor pulls down the file called “_outputA446BDFrolex.exe” which then gets copied over to the “C:\Users%username%\AppData\Roaming” path and then gets executed (PID 2588).

Once the original process for “downloads.exe” (PID 2588) has been running for a bit, it opens another instance of itself (PID 3040) and this is the process that writes out the other files within the “Roaming” folder and the sub-folders. It is the process that is also responsible for reaching back out to the IP address of 194.5.98.182 on port 7020 which looks to be encoded or encrypted.

As for the *.dat files, there was nothing readable in these files with the exception of the file called “KB_272984.dat.” I am not exactly sure what this log file is for as it did not capture any keystrokes from what I can tell.

I also ran the tool called “strings2” against the PID 3040 to see if there was anything that may be gleaned from memory. From just looking around in that log, there were some things of interest once I looked for the word “nano.” From what I was able to see, there are a lot of Japaense domains (..jp) as seen below.